Looking to reduce the number of post-it notes you see stuck around the office? Seeking to automate your user creation processes for Office 365? Or maybe you're interested in single sign-on for everything you host in the cloud? Are you questioning what a cloud identity is?
This session will take you through the basics of identity in the Microsoft Cloud and show you to how to set up and configure Office 365 with Azure Active Directory using the Azure Active Directory Synchronization Connect tools.
5. Terminology
What is Identity Management?
“Identity management (IdM) describes the
management of individual principals, their
authentication, authorisation, and privileges within
or across system and enterprise boundaries with the
goal of increasing security and productivity while
decreasing cost, downtime and repetitive tasks.”
https://en.wikipedia.org/wiki/Identity_management
6. Determining which actions an
authenticated entity is authorized
to perform on the network
Terminology
Verifying that a user, device, or
service such as an application
provided on a network server is
the entity that it claims to be.
Authentication Authorization
7. Terminology
Single Sign On (SSO) is the ability for two disjointed Identity
Providers (IDP) to trust each other such that a user logged in to
one does not need to log in again for the second
Relying Party (RP) is the system that relies on the IDP to
authenticate a user
Security Assertion Markup
Language (SAML)
SAML is a public standard managed by OASIS.
SAML is the identity token and also the
protocol.
WSFED is used for web browser-based
authentication with an IDP. WS-Trust is used by
Office client apps to authenticate.*
WS-Federation (WSFED) / WS-Trust
8. Office 365 Federation Types
WS-Federation is the protocol used to support sign-in to Office
365 using the web interface, sometimes known as “passive
authentication.” This includes the Office 365 portal, SharePoint
Online, Outlook Web Access, and the Office Web Apps.
WS-Trust is the protocol used to support sign-in to Office 365
using Office client applications, sometimes known as “active
authentication.” This includes Outlook, Lync, Word, Excel,
PowerPoint, and OneNote.
11. Azure Active Directory
What is AAD?
“Azure Active Directory is a comprehensive identity
and access management cloud solution that
provides a robust set of capabilities to manage
users and groups and help secure access to
applications including Microsoft online services like
Office 365 and a world of non-Microsoft SaaS
applications.”
21. Choosing a Model
Federated Identity
Already have ADFS or
a 3rd party IDP
Require immediate
disable or Sign-in Audit
SSO is required
Multiple Forests
CAC or on-premises
MFA
Business requires it
26. Deploying Directory Synchronization
Prepare for directory synchronization
Activate directory synchronization
Set up directory synchronization agent
Synchronize directory
Activate synchronized users
Manage directory synchronization
27. IdFix
Errors Validated
Duplicate proxyAddresses
Invalid characters in attributes
Over length attributes
Format errors in attributes
Use of non-routable domains
Blank attribute that requires a
value
Attributes
displayName
givenName
mail
mailNickName
proxyAddresses
sAMAccountName
sn
targetAddress
userPrincipalName
28. Prepare for Directory Synchronization
Ensure you have your UPN suffixes in place if not using an Internet
Routable Domain
http://technet.microsoft.com/library/jj151831.aspx
http://technet.microsoft.com/en-us/library/hh852478.aspx
29. IdFix without errors…
Select Multi-Tenant mode for Office 365 Public Cloud
A blank page will occur if you have no errors.
The log file will report that there are no duplicates exist.
71. Alternate Login ID
When your on-premises UPN is non-routable on the public internet and you
can’t easily update UPN suffixes
Requires Windows Server 2012 R2 for AD FS*
Requires comfort with FIM and editing Management Agents
72. Office Client Passive Authentication
SSO with passive authentication
‐ Works with WSFED and SAML 2.0
Went Tech Preview in Nov 2014
Requires Office Client updates
‐ Move to Active Directory
Authentication Library (ADAL)
‐ OAUTH for passive authentication
‐ Support for MFA with AAD
‐ CAC/PIV support
SAML 2.0
73. Works with Office 365 – Identity program
What is it?
‐ Qualification of third party identity
providers for federation with Office 365.
Microsoft supports Office 365 only when
qualified third party identity providers
are used.
Program Requirements
‐ Published Qualification Requirements
‐ Published Technical Integration Docs
‐ Automated Testing Tool
‐ Self Testing work by Partner
‐ Predictable and Shorter Qualification
*For representative purposes
only.
WS-Trust & WS-
Federation
SAML (passive
auth)
• Flexibility to reuse
existing identity
provider investments
• Confidence that the
solution is qualified by
Microsoft
• Coordinated support
between the partner
and Microsoft
Customer
Benefits
74. Office 365 Federation Options
Suitable for medium,
large enterprises including
educational organizations
Suitable for medium, large
enterprises including
educational organizations
Suitable for educational
organizations
For organizations that
need to use SAML 2.0
76. The end to end Microsoft Stack
WS-Federation
WS-Trust
77. Agenda
Identity Management in Office 365
Identity Scenarios
Synchronization Demo
Add-ons and More to Think About
78.
79. http://www.SPintersection.com
Resources
Use third-party identity providers
to implement single sign-on
Deployment scenarios for Office
365 with single sign-on and Azure
Choosing a sign-in model for
Office 365
Password hash sync simplifies user
management for Office 365
Directory Integration Tools
Using smart links or IdP initiated
authentication with Office 365
Using Alternate Login IDs with
Azure Active Directory
Office 365 SAML 2.0 Federation
Implementer’s Guide
Simplified login to Yammer from
Office 365
Multi-Factor Authentication for
Office 365
Office 365 User Account
Management